State of npm Supply Chain Trust — Q2 2026: We Audited the Top 100 Packages
We scored the top 100 npm packages by weekly download count. Here's what the data shows.
7 of the top 10 most-downloaded npm packages have a single maintainer. Combined, they handle 3.2 billion installs per week.
These aren't obscure packages. They're at the base of the JavaScript dependency graph — the ones pulled into virtually every Node.js application ever built.
We scored the top 100 npm packages using Commit's behavioral trust scoring, which measures longevity, release consistency, maintainer depth, and organizational backing — signals that are hard to fake.
The Numbers
| Metric | Value |
|---|---|
| Packages audited | 100 |
| Total weekly downloads | 15.15 billion |
| CRITICAL-flagged packages | 14 (2.63B downloads/wk) |
| Single-maintainer packages | 40 — 7.23B downloads/wk (47%) |
| Average trust score | 68.7 / 100 |
47% of all weekly npm traffic flows through packages controlled by a single person. Not 14 packages — 40.
The Top 10 Most Downloaded npm Packages
| # | Package | Score | Risk | Maint. | Downloads/wk |
|---|---|---|---|---|---|
| 1 | ansi-styles | 52 | ✅ | 1 | 567M |
| 2 | semver | 90 | ✅ | 4 | 536M |
| 3 | brace-expansion | 60 | ✅ | 2 | 483M |
| 4 | minimatch | 85 | 🔴 CRITICAL | 1 | 473M |
| 5 | debug | 79 | ✅ | 2 | 462M |
| 6 | strip-ansi | 50 | ✅ | 1 | 452M |
| 7 | supports-color | 53 | ✅ | 1 | 409M |
| 8 | string-width | 51 | ✅ | 1 | 407M |
| 9 | wrap-ansi | 51 | ✅ | 1 | 359M |
| 10 | ansi-regex | 70 | 🔴 CRITICAL | 1 | 348M |
The top package by weekly download count in the entire npm ecosystem isn't react. It isn't typescript. It's ansi-styles — a package that provides ANSI escape code strings for terminal colors. One maintainer. 567 million installs per week.
Numbers 1, 6, 7, 8, 9, and 10 form a cluster — all part of the ANSI terminal color ecosystem. All with a single maintainer. Combined: over 2.1 billion weekly downloads.
The CRITICAL 14
CRITICAL = >10M weekly downloads + single maintainer with npm publish access. One token. One compromise window.
| Package | Score | Downloads/wk | Embedded in… |
|---|---|---|---|
| minimatch | 85 | 473M | ESLint, Jest, webpack, Vite, npm CLI |
| ansi-regex | 70 | 348M | chalk, strip-ansi, every CLI with color |
| chalk | 75 | 339M | Everything with colored terminal output |
| glob | 81 | 276M | ESLint, webpack, Jest, Node.js |
| @types/node | 88 | 261M | Every TypeScript backend project |
| esbuild | 88 | 171M | Vite, Next.js, most modern bundlers |
| chokidar | 81 | 134M | webpack, Vite, Jest, all file watchers |
| zod | 83 | 134M | tRPC, Next.js, most validation layers |
| caniuse-lite | 84 | 132M | Babel, Browserslist, PostCSS |
| fast-deep-equal | 68 | 122M | React reconciler, Redux, Vue, ajv |
| lodash | 87 | 122M | Millions of direct dependencies |
| axios | 86 | 82M | Millions of direct dependencies |
| husky | 77 | 21M | Git hook management in most repos |
| cross-env | 73 | 14M | Cross-platform npm scripts |
axios carries an identical structural profile to ua-parser-js — which was CRITICAL-flagged before its October 2021 compromise. npm audit showed zero warnings before that attack. The structural signal was visible. The CVE database had nothing until four hours after the malicious publish.
Score Distribution
| Tier | Score | Count |
|---|---|---|
| Elite — multi-org backing, decade-long record | 90–100 | 12 |
| Healthy — established, active, watch depth | 70–89 | 33 |
| Moderate — maintenance gaps, shallow contributor base | 50–69 | 43 |
| At Risk — stalled releases, single point of failure | <50 | 12 |
43 packages score 50–69: technically not flagged, but with billions of weekly downloads between them and no organizational backup. This is the quiet risk — not alarming enough for a red flag, deep enough in the graph that nobody audits it.
What SAFE Looks Like
The 12 packages scoring 90+:
| Package | Score | Maint. | Downloads/wk |
|---|---|---|---|
| rollup | 99 | 5 | 90M |
| typescript | 98 | 6 | 154M |
| express | 97 | 5 | 77M |
| vite | 96 | 4 | 92M |
| undici | 96 | 3 | 75M |
| dotenv | 94 | 3 | 100M |
| @babel/core | 93 | 4 | 108M |
| eslint | 91 | 2 | 108M |
| react | 91 | 2 | 109M |
| react-dom | 91 | 2 | 103M |
| ws | 90 | 4 | 162M |
| semver | 90 | 4 | 536M |
semver (#2 by downloads, 536M/week) scores 90 and is team-maintained by npm Inc. That's what supply chain resilience looks like. The problem is that it's surrounded on both sides by packages with single maintainers.
Methodology
Trust scoring uses Commit's behavioral scoring engine:
| Signal | Max | What it measures |
|---|---|---|
| Longevity | 25 | Years maintained, consistency of presence |
| Download Momentum | 25 | Recent growth or stability trends |
| Release Consistency | 20 | Cadence regularity, not just volume |
| Maintainer Depth | 15 | Number of active publishers with commit history |
| GitHub Backing | 15 | Stars, contributor count, organizational indicators |
CRITICAL = >10M weekly downloads + 1 active maintainer with npm publish access. This is the exact structural profile that the ua-parser-js compromise (2021), the colors.js sabotage (2022), and the event-stream incident (2018) all shared.
This analysis does not replace npm audit — it answers a different question. npm audit scans known CVEs. Commit scores structural resilience: would this package survive a maintainer compromise, a token theft, or a gradual abandonment?
Audit Your Own Project
# Zero install — scan your package.json or lock file
npx proof-of-commitment --file package.json
npx proof-of-commitment --file package-lock.json # scans transitive deps too
# Check specific packages
npx proof-of-commitment chalk zod axios minimatch
# Web: https://getcommit.dev/audit
Previous: April 2026 — 50 packages · Rankings · GitHub
Top comments (0)